Minneapolis students use “Rickroll” prank to highlight district computer security flaws
Updated: 10:00 p.m.
Two Minneapolis Public Schools students used an email prank Friday to draw attention to what they say are more security flaws in the district’s computer systems.
The teens, who described themselves as members of Washburn High School’s class of 2025, sent a mass email from a district account to staff and students.
Couched as a Rickroll joke, in which a prankster tricks their target into listening to Rick Astley’s “Never Gonna Give You Up,” the email linked to a detailed report that the teens wrote detailing the problems that they found, including easily accessible student photos and usernames.
Ian Coldwater, a Minneapolis-based professional hacker who helps their clients find vulnerabilities in computer systems, said in a phone interview Friday that the students uncovered serious security flaws.
MPR News is Member supported public media. Show your support today, donate, and ensure access to local news and in-depth conversations for everyone.
“There are things that are accessible from within the network that shouldn’t be,” Coldwater said. “There should be extra layers of having to be authorized to see some of this stuff, even if you are connected to the school network.”
The teens wrote in their report that a March ransomware attack targeting the district inspired them to investigate other potential information technology problems.
Coldwater, who reviewed the report for MPR News, said that the students included suggested fixes and were careful not to publish private data.
“Their work is solid,” Coldwater said. “I hope that people see their talent, see their desire and commitment to act ethically and help them cultivate it, channel it in good directions, hire them to help fix this rather than punishing them.”
The teens wrote that they were not able to access their fellow students’ grades, but that potential security flaws with Chromebook laptops could enable “academic cheating and dishonesty” when the computers are used for standardized testing.
In an email to MPR News Friday afternoon, district spokesperson Crystina Lugo-Beach downplayed this latest incident.
“This was NOT a hack, but an internal email sent out by a group of students…
